I was asked to create an official code verification policy document. This should have been PCI compliant, but I have no idea what such a document might look like or include it. Are there any examples of such a document?
WindowsSecurity.com has white paper that you can download: PCI Compliance Transfer Section 6.6: Code Reviews and Application Firewalls
For a general picture (the entire software life cycle, part of which is code viewing), see ISO / IEEE 12207, ISO / IEC / IEEE Standard for Systems and Software Engineering - Software Life Cycle Processes. He devotes a full chapter to the formal software review process, covering the roles of participants, input documents, allocation of time for reverbs, the creation of "abnormal" documents, categorization of severity, exit decision and output documents.